Skip to main content
Skip table of contents

Release note Certificate Manager 8.6.1

Release Date: 2022-10-28

Version: 8.6.1

Certificate Manager release 8.6.1 fully replaces Certificate Manager release 8.6 due to an error in the documentation.

Main new features

Support for new Microsoft extension szOID_NTDS_CA_SECURITY_EXT

Related to Microsoft KB5014754: Certificate-based authentication changes on Windows domain controllers.

Certificate Manager now supports the new Microsoft extension called 'szOID_NTDS_CA_SECURITY_EXT', a security extension for enhanced security protections. Certificates containing the new extension can be requested over WinEP, CM Windows Enrollment Proxy. Adding the new extension to the certificate is made by using the modifier 'CaSecurityExternalModifier'. See "Microsoft Certificate Extension Modifiers" in the Technical Description for more information.

Issue attribute certificates via CM Rest API

Certificate Manager Rest API has been extended with an endpoint for requesting RFC 5755 attribute certificates. The REST API endpoint issues an attribute certificate from a PKCS#10 request and returns the result as PKCS#7. This endpoint is configured in See Certificate Manager (CM) REST API for more information.

Issuing certificates with wildcard domains through ACME

Certificate Manager now supports issuance of certificates which contain a wildcard in the domain name through the ACME protocol. ACME orders which contain wildcards in the DNS identifier are challenged with the DNS-01 challenge. See Request certificate via ACME and Protocol Gateway in Certificate Manager for more information.

Validation of requesting CM officer

In cases where a CM-SDK request is signed by a VRO (Virtual Registration Officer) and not the requesting officer, it is now possible to enable validation of the requesting officer. This validation is implemented in the new RequestingOfficerVerifier modifier. See "RequestingOfficerVerifier" in the Technical Description.

Possibility to have multiple of the same OID in the same SET

It is possible to have multiple SEQUENCE with the same OID within the same SET structure in the ASN.1 of a x.509 certificate by setting the flag "RelativeDistinguishedName.containedSingleSet" to either true or false in the rfc5280 cert format. See "Forcing subject multi-values to the same SET" in the Technical Description.

This setting changes the ASN.1 structure of the issuer and subject fields of the certificate and should only be activated if there are known requirements for it.

Force calculation of notAfter in certificate from issuance time

It is now possible to force the calculation of the "notAfter" date to be based on the time of certificate issuance instead of the "notBefore" value by setting format field 'Id2Legacy.certvalidity-validto-from-issuance' to true in the certificate format. This is useful when a hard coded "notBefore" time (set in the certificate format) and a "notAfter" time based on the time of issuance is wanted.

Changed functionality

MariaDB JDBC driver have been updated to 3.0.7

The MariaDB JDBC driver has been updated and the parameter 'permitMysqlScheme' must be added to the connection string if using MySQL. See Set up MySQL in Certificate Manager for more information.

ADAL authentication changed to MSAL for SCEP Intune

Since the ADAL authentication API has been deprecated by Microsoft, the SCEP Intune protocol in Certificate Manager has been updated to use the MSAL authentication API instead. See Example: SCEP Intune configuration in Protocol Gateway for more information.

Updated default p12 binaries to use AES256 encryption

Updated kek.p12, pin.p12, tcsigner.p12 and tls.p12 to use AES256 as protection in CF keystore.

Possibility to use AES key length of 128bits with SKIP

Its now possible to set the key length of the AES key to be used with SKIP by setting the parameter 'aes-bit-key-length' in the format file used by the key procedure. If this parameter is not set it defaults to use 256 bit AES key length. See Use the Secure Key Injection Protocol in Certificate Manager for more information.

Support for concatenation key derivation function with SKIP

It is now possible to use the concatenation key derivation function with the shared secret that is derived during the Secure Key Injection Protocol. This can be configured in the cert format by setting the parameter 'is-plug-and-charge' to true.

Rest API: Adds support for validTo and validFrom in SKIP endpoint

SKIP endpoint of the Rest API now contains the ability to control the certificate attributes "ValidTo" and "ValidFrom" of the incoming CSR. The given validity time applies to all of the produced certificates, that is, factory keypair, ephemeral keypair and device keypair certificate.

Years and months can be used to configure CRL/CIL procedures

In addition to minutes, hours and days, now months and years can be used as well to configure the update interval and margin for a CRL an CIL procedure inside the AWB client. See Create CRL procedure in Certificate Manager and Create CIL procedure in Certificate Manager for more information.

Added possibility to disable the requestLogUpdaterTask

A system with a large CMDB Auditlog can have a long startup time when an internal CF process, RequestLogUpdaterTask, checks for database entries to update in the audit log. The audit log update process is a one-time operation when upgrading from 8.0 to 8.1. After completing the audit log update, the background process Request Log Updater can be completely turned off by the new configuration option. The parameter 'DbCleanupService.RequestLogUpdaterTask.start' has been added to cm.conf, and by setting this parameter to false the 'RequestLogUpdaterTask' gets disabled.

Use AWB officer role no longer permit manual build of CRL/CIL

The officer role "Use AWB" does no longer entail building of CRLs and CILs. This role is now used for read-only access to the AWB. The new role "Manual build of CRL and CIL" is now needed for an officer to manually build CRLs and CILs. The officer profile that was previously used by the officer that performed manual builds must be modified to include the role "Manual build of CRL and CIL". See Officers and roles in Certificate Manager for more information.

AES256 protection of CA keys in PKCS#12 key store file

The CA private keys, in a PKCS12 key store, are protected with AES256. See also the description of "storeType" and the new "iterations" parameter in cis.conf. See "Additional Parameters for JCE Devices" in Technical Description.

Detailed feature list

For a detailed overview of changed functionality, deprecated functions and corrected problems, see Release.txt which is provided with the installation media.


Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Nexus Certificate Manager to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.